+44 (0)113 3280104 | Email Us

Bug Bounties – Exploiting a weakness in the crowd

Firstly, for those not familiar with the term ‘bug bounty’, they are a scheme whereby a company offers a reward to someone who is able to find and report a defect (bug) in their software product.  The rewards differ depending on the program and the organisation, but typically include money, swag (gifts) or recognition on Hall of Fame pages on the company’s website.

Such schemes are not restricted to the cyber security market.  All types of bugs can be found within software such as functionality, usability and even performance related issues.

As a researcher, what you tend to find is that you are testing a version of software that has already been through several iterations of security tests.  Therefore, these challenges are not for the faint hearted or those with a shiny new burp license as it is highly likely that one will invest many hours of research time in a test before finding what the company would regard a worthwhile and potentially serious flaw within the application.

Discovering cookies without their appropriate flags set, directory listing issues or missing X-FRAME headers will not win you any kudos or pay the mortgage.  What we are looking for are significant vulnerabilities, such as data validation or injection issues (SQLi, Command), serious flaws in authentication, encryption or user access controls.

Now here is the catch, having spent many ‘downtime’ hours sitting in hotel lobby’s exploring the various bug bounty schemes available and participating mainly in web application engagements, I have found that only a small percentage of reported issues are actually being rewarded.  It seems I am not alone, on canvassing opinions from fellow researchers a common response is… “nah, mainly dupes”.

Although recognised as valid issues, the majority of bugs are thrown directly into the duplicates (dupes) bucket.  A standard email is received thanking the researcher for the time invested in finding an issue that unfortunately, had been discovered several weeks ago by various other researchers.   This is often followed by an apology and a request to see any other submissions that you may have.

Most researchers accept that there is a possibility of a duplicate issue being reported and it is only fair to reward on a first find basis – but not many expected this to become the norm.

Don’t get me wrong, bug bounties do provide an excellent opportunity to try out new techniques, sharpen skills, test patience and potentially find a 0-Day in a commercial application.  There are also massive benefits to organisations for continuous assessments to improve their overall security posture.

However, this does pose several questions on whether companies are exploiting the talents of cyber security researchers, is this really a win-win approach?  Will researchers continue to invest their time for little return?  Are bug bounty schemes exploiting a weakness in the crowd?